Welcome to Tariffin (“we”, “us”, “the site”, operating at tariffin.com). This policy explains what personal data we collect, how we use it, how we protect it, and what rights you have. By accessing or using the site you confirm you have read and agree to this policy.
1. Information we collect
1.1 Automatically collected (no signup required)
- Visit log: pages visited, referrer, User-Agent, timestamp, country code (resolved from IP by Vercel, country-level precision only — raw IP is never stored).
- IP hash: a one-way SHA-256 + site salt hash, first 32 chars only. Used solely for unique-visitor counting and abuse prevention. The original IP is never stored.
- Session ID: an HttpOnly cookie named
tariffin_sid(30-day expiry) used to group requests from the same browser into one session for UV and dwell-time measurement. The cookie holds a random string with no personal info. - Bot fingerprint: if you appear to be a robot (Googlebot, GPTBot, etc.), we log the UA and the path hit, but no session cookie.
1.2 Information you actively provide
- Account signup: email (for Magic Link login), display name, avatar (if you use Google OAuth).
- Classification queries: the product descriptions you submit are sent to the DeepSeek API for HS reasoning. The full input text, output HS code, confidence score, and rationale are stored in our
user_eventstable linked to your account (so the “Query history” page can show them). - Landed-cost inputs: HS code, declared value, destination country, freight, insurance, etc. — stored as event logs for history and product improvement.
- Newsletter subscription: if you subscribe to the weekly digest, we store your email + subscription source. Used only to deliver content you subscribed to; one-click unsubscribe at any time.
2. How we use this information
- Deliver core services: AI classification, tariff lookup, landed-cost calculation.
- Account management: signin / signout / plan management / usage metering.
- Product improvement: aggregate statistics (PV/UV, top pages, dwell time, referrers) used to improve UX. Aggregate stats are never traced back to individuals.
- Security: detect rogue crawlers, API abuse, brute-force login attempts. May trigger rate-limit or block.
- Compliance notices: policy subscriptions, security alerts, necessary service-change notifications.
3. Third-party data processors
We share data with the following trusted processors, all of whom have signed DPAs and comply with GDPR/CCPA standards:
- Supabase (database + auth, servers in Tokyo) — stores accounts, query history, aggregate stats.
- Vercel (app hosting, servers in Hong Kong) — handles HTTP requests, static asset delivery.
- DeepSeek (AI inference) — receives the text you submit only when executing HS classification or news translation. DeepSeek states it does not train on user inputs. We do not send your email, IP, or any account info to DeepSeek.
- Google(OAuth login only) — if you choose Google login, Google returns your email and basic profile per Google’s Privacy Policy.
We do not sell or share any personal data with ad networks, data brokers, or marketing companies.
4. Storage and retention
- Account info: until you delete the account.
- Query history: 365 days by default; you can delete individual entries from “My Workspace → Query History” at any time.
- Visit logs: 90 days, after which only de-identified aggregates remain.
- Bot logs: 30 days for security analysis.
5. Your rights
Under GDPR / CCPA / PIPL and other applicable laws, you have:
- Right of access: request all data we hold about you.
- Right to rectification: correct inaccurate or incomplete data.
- Right to erasure: delete your account and all identifying data (except de-identified aggregate stats).
- Right to portability: export your data as JSON/CSV.
- Right to restrict processing: pause certain processing categories.
- Right to object: object to processing based on legitimate interests.
- Right to withdraw consent: unsubscribe from emails, clear session cookies at any time.
To exercise any right, email hello@tariffin.com and we will respond within 30 days.
6. Cookies
We use only strictly necessary cookies:
tariffin_sid: anonymous session ID (30 days, HttpOnly, SameSite=Lax).sb-*-auth-token: written by Supabase Auth on signin (exists only after login).NEXT_LOCALE: your language preference.
We use Google Analytics 4 to collect anonymous usage statistics (page views, referrers, device class, session duration) to improve the product. Google Analytics sets _ga / _ga_* cookies which you can clear in your browser settings. We do not use Meta Pixel or any other third-party trackers.
6.1 Third-party ads (Google AdSense)
To keep the site free, some high-traffic pages (HS detail, country detail, news article, landed-cost result) display ads served by Google AdSense. AdSense:
- Uses cookies to deliver personalized or non-personalized ads (depending on your region; EU/UK default to non-personalized).
- Reads your IP, user agent, and visit history for ad delivery and fraud prevention.
- Operates under Google’s own ad privacy policy.
You can opt out of personalized ads at adssettings.google.com. Tariffin itself does not read or store AdSense-set cookies.
7. Children’s privacy
Tariffin is a B2B tool for cross-border trade professionals. We do not knowingly collect data from minors (under 16). If discovered, we will delete it immediately.
8. Cross-border data transfer
Since Supabase hosts in Tokyo and Vercel hosts in Hong Kong, your data crosses borders. We only work with vendors who meet GDPR adequacy standards.
9. Security
We apply the following technical and organizational measures:
- All transit uses HTTPS / TLS 1.3.
- Encrypted DB connections; Supabase encrypts data at rest by default.
- IP de-identification via SHA-256 hashing.
- Tiered key management; server-only Service Role Key never exposed to the client.
- Login via Magic Link email + Google OAuth; we never store plaintext passwords.
10. Contact
Questions about this Privacy Policy? Email hello@tariffin.com.